Glines said the continued implementation of the Affordable Care Act, more commonly known as Obamacare, will create a “richer target environment” for cyber criminals as more and more people enter their information online.
“Those responsible for the security of the data, obviously, must be held accountable and ensure that the proper security controls are in place for a couple of reasons,” said Glines. “One, because that’s the responsibility that comes with owning and maintaining patient data, but also because at the end of this year, the pointed end of the stick that really gets moving starts to go into effect which is the monetary fines and penalties for a breach of data. Not that there haven’t been some fines that have been levied, but it has been few and far between, so that will change presumably.”
Glines believes that one of reasons for this glaring lack of IT security at many healthcare organizations is due to a lack of education or understanding about what best practices mean for network security.
“There are certainly those that believe that, ‘if I buy a firewall off the shelf, plug it in, turn it on and I get the green light that I’m good go,’ but there’s more to it than that in terms of configuration,” added Glines. “I think it’s mostly a lack of knowledge about responsibilities and/or skills. I don’t think anyone is knowingly putting this at the bottom of the list of things they’re responsible for or things that they need to get done for the day. But I will say until a board of directors recognizes that if I don’t invest in the right education, skill sets or resources within my organization it will affect my earnings. It will be at that time when the right level of education starts to make its way into these organizations.”
Of the malicious events examined in the report, Glines estimated that anywhere from 25 to 50 percent of them could have been avoided if the organization had of implemented basic security measures, such as good authentication and password policies. Although the SANS/Norse report focused on the U.S., it did look at IT security as it relates to healthcare organizations in other parts of the world and found that European companies had a much better security posture than their American counterparts.
“One interesting finding was that in Europe in the developed EU countries, the number of incidents were far less on an apples-to-apples basis than that of the U.S., which is directly attributable to the more aggressive stance that the EU has with respect to data privacy laws and penalties for those that are not compliant versus the U.S.,” said Glines.
While data breaches inflict damage to the reputations of companies affected by them, Glines said the real danger, especially for small-to-mid-sized businesses, are the fines that will become increasingly harsh moving forward.
“The smaller you are, the less likely you are able to recover from an attack that is serious enough to be a breach,” added Glines. “For the mid-market and small-to-medium-sized businesses, the potential impacts are devastating in terms of ending a company’s existence. For the larger companies, they can withstand it, but it will be a rough quarter or two.”